current_track = LE_32(&header[i + 8]);
if (current_track + 1 > fourxm->track_count) {
fourxm->track_count = current_track + 1;
+ if((unsigned)fourxm->track_count >= UINT_MAX / sizeof(AudioTrack))
+ return -1;
fourxm->tracks = av_realloc(fourxm->tracks,
fourxm->track_count * sizeof(AudioTrack));
if (!fourxm->tracks) {
#endif
av_register_image_format(&jpeg_image_format);
#endif
- av_register_image_format(&gif_image_format);
- av_register_image_format(&sgi_image_format);
+ av_register_image_format(&gif_image_format);
+// av_register_image_format(&sgi_image_format); heap corruption, dont enable
#endif //CONFIG_ENCODERS
/* file protocols */
int fifo_read(FifoBuffer *f, uint8_t *buf, int buf_size, uint8_t **rptr_ptr);
void fifo_write(FifoBuffer *f, uint8_t *buf, int size, uint8_t **wptr_ptr);
int put_fifo(ByteIOContext *pb, FifoBuffer *f, int buf_size, uint8_t **rptr_ptr);
-void fifo_realloc(FifoBuffer *f, int size);
+void fifo_realloc(FifoBuffer *f, unsigned int size);
/* media file input */
AVInputFormat *av_find_input_format(const char *short_name);
get_le32(pb); /* ClrUsed */
get_le32(pb); /* ClrImportant */
+ if(size > 10*4 && size<(1<<30)){
st->codec.extradata_size= size - 10*4;
st->codec.extradata= av_malloc(st->codec.extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
get_buffer(pb, st->codec.extradata, st->codec.extradata_size);
+ }
if(st->codec.extradata_size & 1) //FIXME check if the encoder really did this correctly
get_byte(pb);
nb_index_entries = size / 16;
if (nb_index_entries <= 0)
return -1;
+ if(nb_index_entries + 1 >= UINT_MAX / sizeof(AVIIndexEntry))
+ return -1;
/* read the entries and sort them in each stream component */
for(i = 0; i < nb_index_entries; i++) {
/* reallocate buffer if needed */
new_size = d->pos + buf_size;
new_allocated_size = d->allocated_size;
+ if(new_size < d->pos || new_size > INT_MAX/2)
+ return -1;
while (new_size > new_allocated_size) {
if (!new_allocated_size)
new_allocated_size = new_size;
else
- new_allocated_size = (new_allocated_size * 3) / 2 + 1;
+ new_allocated_size += new_allocated_size / 2 + 1;
}
if (new_allocated_size > d->allocated_size) {
else
io_buffer_size = 1024;
+ if(sizeof(DynBuffer) + io_buffer_size < io_buffer_size)
+ return -1;
d = av_malloc(sizeof(DynBuffer) + io_buffer_size);
if (!d)
return -1;
s->transparent_color_index = -1;
s->screen_width = get_le16(f);
s->screen_height = get_le16(f);
+ if( (unsigned)s->screen_width > 32767
+ || (unsigned)s->screen_height > 32767){
+ av_log(NULL, AV_LOG_ERROR, "picture size too large\n");
+ return -1;
+ }
+
v = get_byte(f);
s->color_resolution = ((v & 0x70) >> 4) + 1;
has_global_palette = (v & 0x80);
frame_rate = ap->frame_rate;
frame_rate_base = ap->frame_rate_base;
+ if((unsigned)width > 32767 || (unsigned)height > 32767)
+ return -1;
+
st = av_new_stream(s1, 0);
if (!st)
return -ENOMEM;
static char *b64_encode( unsigned char *src )
{
static const char b64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-
- char *dst = av_malloc( strlen( src ) * 4 / 3 + 12 );
- char *ret = dst;
+ unsigned int len= strlen(src);
+ char *ret, *dst;
unsigned i_bits = 0;
unsigned i_shift = 0;
-
+
+ if(len < UINT_MAX/4){
+ ret=dst= av_malloc( len * 4 / 3 + 12 );
+ }else
+ return NULL;
+
for( ;; )
{
if( *src )
if (ap && ap->image_format)
s->img_fmt = ap->image_format;
- strcpy(s->path, s1->filename);
+ pstrcpy(s->path, sizeof(s->path), s1->filename);
s->img_number = 0;
s->img_count = 0;
VideoData *img = s->priv_data;
img->img_number = 1;
- strcpy(img->path, s->filename);
+ pstrcpy(img->path, sizeof(img->path), s->filename);
/* find format */
if (s->oformat->flags & AVFMT_NOFILE)
return -ENOMEM;
}
- strcpy(s->path, s1->filename);
+ pstrcpy(s->path, sizeof(s->path), s1->filename);
s->img_number = 0;
s->img_count = 0;
VideoData *img = s->priv_data;
img->img_number = 1;
- strcpy(img->path, s->filename);
+ pstrcpy(img->path, sizeof(img->path), s->filename);
/* find format */
if (s->oformat->flags & AVFMT_NOFILE)
/* ebml strings are usually not 0-terminated, so we allocate one
* byte more, read the string and NULL-terminate it ourselves. */
- if (!(*str = av_malloc(size + 1))) {
+ if (size < 0 || !(*str = av_malloc(size + 1))) {
av_log(matroska->ctx, AV_LOG_ERROR, "Memory allocation failed\n");
return AVERROR_NOMEM;
}
/* empty */;
a.size -= 8;
+
+ if(a.size < 0)
+ break;
+
// av_log(NULL, AV_LOG_DEBUG, " i=%ld\n", i);
if (c->parse_table[i].type == 0) { /* skip leaf atoms data */
// url_seek(pb, atom.offset+atom.size, SEEK_SET);
{
unsigned int len;
MOV_ctab_t *t;
- //url_fskip(pb, atom.size); // for now
+#if 1
+ url_fskip(pb, atom.size); // for now
+#else
+ VERY VERY BROKEN, NEVER execute this, needs rewrite
c->ctab = av_realloc(c->ctab, ++c->ctab_size);
t = c->ctab[c->ctab_size];
t->seed = get_be32(pb);
if (t->clrs)
get_buffer(pb, t->clrs, len);
}
+#endif
return 0;
}
{
AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+ if((uint64_t)atom.size > (1<<30))
+ return -1;
+
// currently SVQ3 decoder expect full STSD header - so let's fake it
// this should be fixed and just SMI header should be passed
av_free(st->codec.extradata);
{
AVStream *st = c->fc->streams[c->fc->nb_streams-1];
+ if((uint64_t)atom.size > (1<<30))
+ return -1;
+
av_free(st->codec.extradata);
st->codec.extradata_size = atom.size;
{
AVStream *st = c->fc->streams[c->fc->nb_streams-1];
MOVStreamContext *sc = (MOVStreamContext *)st->priv_data;
- int entries, i;
+ unsigned int i, entries;
print_atom("stco", atom);
get_byte(pb); get_byte(pb); get_byte(pb); /* flags */
entries = get_be32(pb);
+
+ if(entries >= UINT_MAX/sizeof(int64_t))
+ return -1;
+
sc->chunk_count = entries;
sc->chunk_offsets = (int64_t*) av_malloc(entries * sizeof(int64_t));
if (!sc->chunk_offsets)
{
AVStream *st = c->fc->streams[c->fc->nb_streams-1];
MOVStreamContext *sc = (MOVStreamContext *)st->priv_data;
- int entries, i;
+ unsigned int i, entries;
print_atom("stsc", atom);
get_byte(pb); get_byte(pb); get_byte(pb); /* flags */
entries = get_be32(pb);
+
+ if(entries >= UINT_MAX / sizeof(MOV_sample_to_chunk_tbl))
+ return -1;
+
#ifdef DEBUG
av_log(NULL, AV_LOG_DEBUG, "track[%i].stsc.entries = %i\n", c->fc->nb_streams-1, entries);
#endif
{
AVStream *st = c->fc->streams[c->fc->nb_streams-1];
MOVStreamContext *sc = (MOVStreamContext *)st->priv_data;
- int entries, i;
+ unsigned int i, entries;
print_atom("stss", atom);
get_byte(pb); get_byte(pb); get_byte(pb); /* flags */
entries = get_be32(pb);
+
+ if(entries >= UINT_MAX / sizeof(long))
+ return -1;
+
sc->keyframe_count = entries;
#ifdef DEBUG
av_log(NULL, AV_LOG_DEBUG, "keyframe_count = %ld\n", sc->keyframe_count);
{
AVStream *st = c->fc->streams[c->fc->nb_streams-1];
MOVStreamContext *sc = (MOVStreamContext *)st->priv_data;
- int entries, i;
+ unsigned int i, entries;
print_atom("stsz", atom);
sc->sample_size = get_be32(pb);
entries = get_be32(pb);
+ if(entries >= UINT_MAX / sizeof(long))
+ return -1;
+
sc->sample_count = entries;
#ifdef DEBUG
av_log(NULL, AV_LOG_DEBUG, "sample_size = %ld sample_count = %ld\n", sc->sample_size, sc->sample_count);
{
AVStream *st = c->fc->streams[c->fc->nb_streams-1];
//MOVStreamContext *sc = (MOVStreamContext *)st->priv_data;
- int entries, i;
+ unsigned int i, entries;
int64_t duration=0;
int64_t total_sample_count=0;
get_byte(pb); /* version */
get_byte(pb); get_byte(pb); get_byte(pb); /* flags */
entries = get_be32(pb);
+ if(entries >= UINT_MAX / sizeof(uint64_t))
+ return -1;
c->streams[c->fc->nb_streams-1]->stts_count = entries;
c->streams[c->fc->nb_streams-1]->stts_data = (uint64_t*) av_malloc(entries * sizeof(uint64_t));
if (table_entries_used > 0) {
nsv->index_entries = table_entries_used;
+ if((unsigned)table_entries >= UINT_MAX / sizeof(uint32_t))
+ return -1;
nsv->nsvf_index_data = av_malloc(table_entries * sizeof(uint32_t));
get_buffer(pb, nsv->nsvf_index_data, table_entries * sizeof(uint32_t));
}
int written_packet_size;
int64_t packet_start[3]; //0-> startcode less, 1-> short startcode 2-> long startcodes
FrameCode frame_code[256];
- int stream_count;
+ unsigned int stream_count;
uint64_t next_startcode; ///< stores the next startcode if it has alraedy been parsed but the stream isnt seekable
StreamContext *stream;
int max_distance;
return -1;
}
-static int get_str(ByteIOContext *bc, char *string, int maxlen){
- int len= get_v(bc);
+static int get_str(ByteIOContext *bc, char *string, unsigned int maxlen){
+ unsigned int len= get_v(bc);
if(len && maxlen)
get_buffer(bc, string, FFMIN(len, maxlen));
static uint64_t get_vb(ByteIOContext *bc){
uint64_t val=0;
- int i= get_v(bc);
+ unsigned int i= get_v(bc);
if(i>8)
return UINT64_MAX;
}
nut->stream_count = get_v(bc);
+ if(nut->stream_count > MAX_STREAMS){
+ av_log(s, AV_LOG_ERROR, "too many streams\n");
+ return -1;
+ }
nut->max_distance = get_v(bc);
nut->max_short_distance = get_v(bc);
nut->rate_num= get_v(bc);
/* codec specific data headers */
while(get_v(bc) != 0){
st->codec.extradata_size= get_v(bc);
+ if((unsigned)st->codec.extradata_size > (1<<30))
+ return -1;
st->codec.extradata= av_mallocz(st->codec.extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
get_buffer(bc, st->codec.extradata, st->codec.extradata_size);
// url_fskip(bc, get_v(bc));
if(next_packet(avfcontext, &op)){
return -1;
}
+ if(op.bytes >= (1<<16) || op.bytes < 0)
+ return -1;
codec->extradata_size+= 2 + op.bytes;
codec->extradata= av_realloc(codec->extradata, codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
p= codec->extradata + codec->extradata_size - 2 - op.bytes;
return AVERROR_INVALIDDATA;
film->base_clock = BE_32(&scratch[8]);
film->sample_count = BE_32(&scratch[12]);
+ if(film->sample_count >= UINT_MAX / sizeof(film_sample_t))
+ return -1;
film->sample_table = av_malloc(film->sample_count * sizeof(film_sample_t));
for(i=0; i<s->nb_streams; i++)
info->xsize = (unsigned short) get_be16(f);
info->ysize = (unsigned short) get_be16(f);
info->zsize = (unsigned short) get_be16(f);
+
+ if(info->zsize > 4096)
+ info->zsize= 0;
#ifdef DEBUG
printf("sgi header fields:\n");
*/
int av_new_packet(AVPacket *pkt, int size)
{
- void *data = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE);
+ void *data;
+ if((unsigned)size > (unsigned)size + FF_INPUT_BUFFER_PADDING_SIZE)
+ return AVERROR_NOMEM;
+ data = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE);
if (!data)
return AVERROR_NOMEM;
memset(data + size, 0, FF_INPUT_BUFFER_PADDING_SIZE);
uint8_t *data;
/* we duplicate the packet and don't forget to put the padding
again */
+ if((unsigned)pkt->size > (unsigned)pkt->size + FF_INPUT_BUFFER_PADDING_SIZE)
+ return AVERROR_NOMEM;
data = av_malloc(pkt->size + FF_INPUT_BUFFER_PADDING_SIZE);
if (!data) {
return AVERROR_NOMEM;
return 0;
}
-void fifo_realloc(FifoBuffer *f, int new_size){
- int old_size= f->end - f->buffer;
+void fifo_realloc(FifoBuffer *f, unsigned int new_size){
+ unsigned int old_size= f->end - f->buffer;
if(old_size < new_size){
uint8_t *old= f->buffer;
AVIndexEntry *entries, *ie;
int index;
+ if((unsigned)st->nb_index_entries + 1 >= UINT_MAX / sizeof(AVIndexEntry))
+ return -1;
+
entries = av_fast_realloc(st->index_entries,
&st->index_entries_allocated_size,
(st->nb_index_entries + 1) *
sizeof(AVIndexEntry));
+ if(!entries)
+ return -1;
+
st->index_entries= entries;
index= av_index_search_timestamp(st, timestamp, 0);
if ((ret = get_buffer(pb, preamble, 4)) != 4)
return AVERROR_IO;
wc3->palette_count = LE_32(&preamble[0]);
+ if((unsigned)wc3->palette_count >= UINT_MAX / PALETTE_SIZE)
+ return -1;
wc3->palettes = av_malloc(wc3->palette_count * PALETTE_SIZE);
break;